From f2dc5b014d68fa61bacd5f9928eedd0c4c882070 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer
Date: Mon, 10 Apr 2023 14:56:15 +0200
Subject: Issue #24: Annotationen für formularbasierte Berechtigungsprüfung

---
 .../DNPM/security/FormBasedSecurityAspects.java    | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 src/main/java/DNPM/security/FormBasedSecurityAspects.java

(limited to 'src/main/java/DNPM/security/FormBasedSecurityAspects.java')

diff --git a/src/main/java/DNPM/security/FormBasedSecurityAspects.java b/src/main/java/DNPM/security/FormBasedSecurityAspects.java
new file mode 100644
index 0000000..3dea944
--- /dev/null
+++ b/src/main/java/DNPM/security/FormBasedSecurityAspects.java
@@ -0,0 +1,51 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.Procedure;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.AfterReturning;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+import java.util.Arrays;
+
+@Component
+@Aspect
+public class FormBasedSecurityAspects {
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    private final FormBasedPermissionEvaluator permissionEvaluator;
+
+    public FormBasedSecurityAspects(
+            final FormBasedPermissionEvaluator permissionEvaluator
+            ) {
+        this.permissionEvaluator = permissionEvaluator;
+    }
+
+    @AfterReturning(value = "@annotation(FormSecuredResult)", returning = "procedure")
+    public void afterProcedureFormBased(Procedure procedure) {
+        if (
+                null != procedure
+                        && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)
+        ) {
+            logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId());
+            throw new IllegalSecuredObjectAccessException();
+        }
+    }
+
+    @Before(value = "@annotation(FormSecured)")
+    public void beforeProcedureFormBased(JoinPoint jp) {
+        Arrays.stream(jp.getArgs())
+                .filter(arg -> arg instanceof Procedure)
+                .forEach(procedure -> {
+                    if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) {
+                        logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId());
+                        throw new IllegalSecuredObjectAccessException();
+                    }
+                });
+    }
+}
-- 
cgit v1.2.3